An Ethernet switch (i.e., the switch) forwards Ethernet frames to a specific port depending on the physical destination address (i.e., MAC address) from the Ethernet frame. In order to do this, the switch must remember which port leads to a specific destination address. This information is stored in a MAC table that is populated (i.e., built) by means known as source learning. Source leaning includes the switch dynamically learning the MAC address of an Ethernet frame by checking the source address of a received Ethernet frame. If the MAC address for this Ethernet frame does not exist in the MAC table, a record is created associating this MAC address with the port on which the MAC address was learned.
Each dynamically learned entry has a time-to-live. In this manner, each entry in the MAC table will age out if an Ethernet frame designating that respective MAC address is not received by the switch for a configurable period of time. This configurable period of time is referred to as the timeout value. When the MAC table is full, no MAC address will be learned until some entry in the table ages out.
With respect to malicious acts associated with managing information within a MAC table, MAC table overflow attack is one of the major risks to Ethernet LAN and simulated Ethernet LAN service such as, for example, Virtual Private LAN Service (VPLS) over MPLS (Multi Protocol Label Switching). In a MAC table overflow attack, an attacker attempts to exploit source leaning of an MAC table of an Ethernet switch. Such exploitation includes subjecting the Ethernet switch with a large number of invalid source MAC addresses (i.e., flooding with invalid source MAC addresses) to fill up the MAC table with such invalid source MAC addresses. In doing so, traffic to and from unknown address will be flooded to all ports of the Ethernet switch causing network performance to degrade significantly and allowing the attacker to snoop the traffic. If the attacker maintains the flood of invalid source MAC addresses, eventually all the older legitimate MAC entries could age out, and all legitimate traffic would be flooded. From both a performance and a security perspective, problems associated with MAC address flooding become more serious when Ethernet is deployed across a metro or wide area network.
One known approach to defending against MAC address flooding is referred to as “Port Security”. Port Security functions to prevent MAC table over-flow by allowing a network administrator to configure (e.g., statistically configure) the MAC addresses that are allowed for a particular port of an Ethernet switch. Frames that are originated from addresses other than the configured address(es) are dropped. However, a limitation of Port Security is that it is not suitably scalable because each MAC address needs to be configured manually on the Ethernet switch. As such, when a network becomes sufficiently large (e.g., a carrier network), it is often impossible to configure each and every MAC address manually.
An extension to Port Security is referred to as “Dynamical Port Security”. Dynamical Port Security allows the administrator to specify the number of MAC addresses allowed for each port, as opposed to just being able to configure the MAC addresses themselves. When the specified number of MAC addresses is learned for the configured port, other source MAC address will not be allowed. In this manner, Dynamical Port Security resolves the problem of manual configuration of MAC address. But, Dynamical Port Security is not without its own limitations. For example, if an attacker launches MAC flooding attack in one port, it can cause a Denial of Service (DoS) attack to legitimate hosts connected to the same port when the MAC address limit allowance is reached. Moreover, Dynamical Port Security is limited in its flexibility. If new users are added to a port, the MAC address limit allowance on the switch has to be raised to accommodate more MAC addresses. For these reasons, Dynamical Port Security is not suitable for a service provider's network.
A standard referred to as MACSec (i.e., MAC Security as defined in EEEE 802.1ae) provides LAN security by using cryptographic techniques to protect data confidentiality and integrity in a LAN, and it also indirectly resolves the MAC flooding problem. But, MACSec is a heavyweight solution that requires support of switches and all end users to prevent a DoS attack. Accordingly, it may not work in an exiting network. Furthermore, MACSec is not practical to upgrade a required installation base of Ethernet to support this standard, and some mechanisms must be in place to deliver PKI (public key infrastructure) security keys either out of band or online before network communication can be initiated. Significant key management work must to be done to support the MACSec standard. As a result, to some users who are more concerned about the speed and service availability, like a VPLS service provider, a lightweight solution to MAC table overflow attack may be more desirable.
Therefore, a solution that defends against MAC table overflow attacks in a manner that overcomes limitations associated with known approaches for defending against MAC table overflow attacks would be advantageous, desirable and useful.